Wrappers like strncpyt() and openvpn_snprintf() protect unsafe C standard libraries by protecting against buffer overflows and unsafe NULL termination; and

Keys and other sensitive data are securely wiped from memory to prevent information leaks.

Crypto gets a bouquet: for example, nobody fell into the trap of using weak key generation.

Developers of the future get perhaps the sternest warning, because as the report notes, there's always the chance that a vulnerability will come not from fat-thumbs in the C code, but in someone's “hey, everybody, why don't we …”

As the report notes: “vulnerabilities may crop up from certain feature combinations. This will be an ongoing challenge for OpenVPN developers to catch these problems early as the code base continues to evolve and expand”.

Green's audit was carried out in parallel with a separate European audit run by QuarksLab and supported by the Open Source Technology Improvement Fund.

That audit turned up two bugs Green's project missed: CVE-2017-7478 (the server can be hosed by a large control packet), and CVE0-2917-7479 a packet counter ID rollover that causes a denial of service. Both were fixed in versions 2.4.2 and 2.3.15 before the report landed. ®